Posted
by
CmdrTacoon Wednesday December 01, 2010 @01:00PM
from the i-see-what-you-did-there dept.

theodp writes "Advertisers no longer want to just buy ads, reports the WSJ. They want to buy access to specific people. In response, the race is on develop digital fingerprint technology to identify how we use our computers, mobile devices and TV set-top boxes. Start-up BlueCava, an anti-piracy company spinoff, is building a 'credit bureau for devices' in which every computer or cellphone will have a 'reputation' based on its user's online behavior, shopping habits and demographics. By the end of next year, BlueCava says it expects to have cataloged one billion of the world's estimated 10 billion devices, and plans to sell this information to advertisers willing to pay top dollar for granular data about people's interests and activities. It's 'the next generation of online advertising,' said Blue Cava's David Norris. As controversy grows over intrusive online tracking, regulators are looking to rein it in — the FTC is expected to release a privacy report Wednesday calling for a 'do-not-track' tool for Web browsers."

You do not need to. Simply run your browser in a sandbox. they cant keep ANYTHING there.

Better yet, Run your browser in a VM that is a standard OS install and a sandbox inside that. They cant fingerprint that which looks like everything else. (XP standard install with no added fonts/etc...)Also you can add a blocking hosts file. this really screws with advertisers as it destroys all their cookie attempts in any form.

Uh, yeah, about that... did it. Assuming you keep on top of it and updating it every time you don't like a particular host the file grows to be quite large, which isn't a problem, but keeping the file updated gets to be quite a chore. Best to use white/black lists with the help of community updates. You might add to the black list occasionally, but so does everyone else. And there's no Firefox add-on like NoScript; best way to keep those pesky java script hooks out of your hair at the browser level.

OK lumpy, free of charge, I am giving you this idea. Make what you said folks should do an easy, as in click and install, thing and sell it for a reasonable price (one that nets you a profit). I will buy it for my own computers and buy and install it on at least 5 of my relatives.

Consider it as evolution in action : those who don't have the gumption as adults to have a reasonable understanding of their important services and how to manage them, get thrown to the wolves. I mean, "thrown to the advertisers."

By that logic then, when your heating, cooling or refrigerator breaks, you should fix it yourself, and not call a trained professional. And when your car breaks, grab a book and a wrench and get busy. And hope if you fall off the roof, you can remain conscious so you can operate on yourself. Fact is that no one person can be skilled in every field. So instead of sitting on your high horse acting smug and uber because you have some computer skills, think about the fact that you can't do a whole bunch of thin

What the fuck would I need cooling for? Do you think I choose to live in one of those places which are excessively hot? I work in those places, sure ; if you pay me well enough to put up with that sort of shit.

or refrigerator breaks,

Fridges are so cheap as to not be worth repairing. And I've never in my life seen one stop working. (If you live in hot climates and have such problems, well that's just another reason for not living in such shitholes.)

"monthly/weekly/daily device rentals, just pay your cell phone bill on time and we'll ship you a used device every month! just hang onto your SIM/SD card and we'll default the device/let somebody else use the 'fingerprinted hardware'"

That won't help. It's not the hardware being fingerprinted. It's the user. The phone is scanning the fingerprint of the user and sending that to the advertiser. Besides, if it is the hardware, do I want to get a phone that the previous owner may have taken to every strip club, brothel, Al Qaida meeting, and presidential assassination attempt? No thanks. I get into enough trouble on my own.

That's talking about identifying and tracking a specific computer, not fingerprinting a user.

Yeah. I did a quick skim of the summary and came to the incorrect (and scary) conclusion that they were developing tech for a cell phone to scan the user's fingerprints as they were using the phone so that advertisers could uniquely identify people. I'm sure law enforcement folk would be jumping on that tech as well.

NO! That lets them know it is okay and that we have to work around it. They need to stay out of our business. This needs to be illegal immediately. This is way over the line. I never gave them permission to track me. Bluecava needs to be shut down.

so if i surf a lot of pr0n and republican/conservative websites (not my usual fare) it might throw them off of me personally, but i wonder how popular of a customer i'd become? if i have multiple tabs open in a variety topics, how will they catalogue me?or what if i use lynx? will they be able to tell i have a visual impairment?

If all the anonymous proxy does is hide your IP address then it probably won't help much. Device fingerprinting is done using much more information than that (obviously, given the article mentions mobile devices which are highly unlikely to have a static IP).

Yes, you can probably use an anonymous proxy and/or randomly scrambling your device's external signature (MAC address, browser string, response time, etc.) in order to make it harder to track you.

What I wonder is if companies will start differentiating between "good consumers" and "bad consumers". Right now we have access to many services because of an implicit agreement: "I'll let you access the site but you'll see some ads". But if they have a very fine-grained way to determine what consumers respond t

Actually that's fine, too. If they start blocking people who don't spend enough money pre-emptively then suddenly they've sent potential future customers directly to their competitors. If you stop someone from even being able to be your customer, you can be certain they will never change their mind.

It's the same thing that happens to sites that have a following, then erect a paywall and discover nobody reads the site any more. They take the paywall down, but the users never come back. Any site that tries to

Somewhat like Openid, where all the IP's belonging to a user are linked to a master ID..
To identify a person linked to a particular ip, its respective master ID is used which gives the required information

Good point. The Web sites are not going to do the analysis themselves: they're going to include a link to BlueCava. You and I will block BlueCava but they won't care because we are too small a minority to matter to advertisers. Thus we can "opt out" as we did with DoubleClick.

Of course right now anyone who care enough can block tracking scripts, web bugs, ad servers, and so on.

But if something like this would ever catch on in a big way, the internet could eventually be increasingly closed off to those without a good "score". The very act of acting to avoid being tracked will also put ever increasing amounts of the internet off limits.

Make no mistake, the internet may have started as an open thing, but it is a HUGELY juicy target for people wanting to control it. Anything they

This has VERY interesting possibilities for digital forensics as well. I get the feeling that the bluecava guys aren't even aware of that possibility yet. This would allow web interactions to be more thoroughly traced to a particular machine. Given the ability of most companies to put a particular person behind that machine (whether surveillance or electronic controls), suddenly your machine AND your interactions are subject to investigation at any time.

This has VERY interesting possibilities for digital forensics as well. I get the feeling that the bluecava guys aren't even aware of that possibility yet. This would allow web interactions to be more thoroughly traced to a particular machine. Given the ability of most companies to put a particular person behind that machine (whether surveillance or electronic controls), suddenly your machine AND your interactions are subject to investigation at any time.

I would be very surprised if it hasn't dawned on them yet. From an interview [adexchanger.com]:

Businesses can also determine if devices have a history of committing fraud, so they can protect themselves.

Note in that interview, BlueCava CEO David Norris is very careful to portray the technology as linked solely to the device and not the user. And there is a lot of effort to portray BlueCava as providing control of information to the end user. But the reality is that linking user to device is trivial (as you noted) and end users tend to not grasp implications of data security. However, the initial money is unlikely to be in forensics and for the system to work, you have to convince people to not fight it.

How about we make it a 64 bit id and call it an ip address? Having a static, routable IP address would make it worth it to me. Then when I really want privacy I can use a proxy.

It looks like in this case they are trying to use the UserAgent and other info available to javascript, like the EFF warned about [eff.org]. Check that link out, you can discover how unique your browser is.

Someone can easily write a Firefox plugin that will munge the javascript data. Make it random every time or hide everything but "standard" stuff. if you look like everyone else, you can hide in plain sight.

If we can find out what all of the information they are tracking to create this fingerprint is there should be a way via browser extension (which would need to be created) to whittle down what is actually transmitted to the most generic set that provides the minimal info necessary to correctly view the page. For example, I don't see why the user agent string needs to be accurate beyond your browser and major version.

You think that's weird, try it with JavaScript enabled. My browser signature is *unique*. Apparently no one in the 1.2 million or so person sample group is using the latest Firefox on WinXP with my particular combination of add-ons (yes, it could see my add-ons). Which means... Relatively more "power-users" are easily identifiable by this technology than "normal people". The more vanilla your browser set-up is, the harder you are to recognize (at least through this metric)

1) Except for the round trip time for you to talk to the server. It only makes it better for them that NTP makes this more accurate.2) You manually did not install it, but some applications still install fonts they use.3) You would be identified as someone who changes screen size too often and after awhile become unique.4) Refer 3. Besides the version of flash, acrobat reader, you are running also make you unique5) That makes you unique. You must be the only one with user agent as "recently updated FF, MSIE

Yes, but as with anything, JavaScript was also extremely powerful. Flash not so much (extremely SLOW). A lot of really nice stuff exists solely because of javascript, without which we would have a lot more loading and reloading the same content.

Firefox is open source. all of the above can easily be done to make a "screw you" version of firefox that will hurt fingerprinting. if a LOT of people use that version then it goes even further to destory the fingerprinting.

3. Yeah foolproof unless it measures the size of the banner that has been set to stretch till it fits the width of the screen4. Until the server tries to poke you by sending a flash video (when you claim to not have it) and may be try to display an ad (when you claim to not have adblock)5. Depending on the User Agent you send, the server can send you a set of Javascript tests that run on your machine and see if you are lying.

Besides you only have to go wrong once and you become completely unique henceforth.

Make fun all you like but this is already being done and works rather well.
Try your own computer [eff.org] (and that's using very basic fingerprinting).
That a tiny percentage of users may take measures against such fingerprinting is irrelevant. At worst they are an irrelevantly small number and the fact such machines would appear to be attempting to avoid fingerprinting might be enough of a risk identifier in itself (for ecommerce transactions for example).

My profile will tell advertisers to leave me the f*ck alone. I don't want all their crap. I don't want them tracking me. I won't buy the crap they push on me. They're wasting their time and money by trying to track me and advertise to me.

That is an interesting take. Let the advertisers target the hyper-consumerists (ie, the majority) and leave the rest of us alone.

Of course, then they might object to giving "deadbeats" access to "free" content which is ad-based. Why allow us to watch X if we're not going to pony up for the shiny things being advertised between bits of content?

That is an interesting take. Let the advertisers target the hyper-consumerists (ie, the majority) and leave the rest of us alone.

Of course, then they might object to giving "deadbeats" access to "free" content which is ad-based. Why allow us to watch X if we're not going to pony up for the shiny things being advertised between bits of content?

Do they have the right to discriminate who to provide service to if they claim their service is free? I don't know.

They not only have to profile all devices on almost all sites, they also have to get merchants to share who made a purchase. Vendors aren't going to share this for free and without any control. Then they'll have to get the EU to approve it.

The way I see it, people need to share their surfing. Make the tracking companies see the aggregate of several (random) people's surfing habits rather than just one. Maybe random swapping of IP addresses from time-to-time? (I'm not trained in internet protocols, so I have no idea how this would be done.)

Changing the IP would not work well and it may be different from session to session anyway due to dynamic IP allocation at your ISP. What you need is a browser plugin that injects a seed of randomization into the browser information returned to the collection server, which changes that seed on an unpredictable way. If each http connection back to the server exchanges different "user" information then their whole scheme for collecting 'some sense of uniqueness' is blown completely out of the water.

We can and will abuse this technology with anti-forensics. Eventually our user agent will say, "Firefox on Windows. Fuck you, bitch." Today it says "Firefox on Windows XP with these plug-ins, these fonts, given time, screen resolution, patch level, version of.NET installed..." Uh. We should have a per-site configuration to even identify that Flash is installed or run add-ons, much less tell the world what we have or let them query everything through Javascript.

...I don't view ads on the internet. Ever. Not on my phone, not on my desktop/laptop, nowhere. The only advertising I see is on live sporting events on TV. Otherwise I watch TV delayed on my DVR and zap through the ads. They can waste all the money they want on me. I'm not looking at ads.

It will upload addresses you visit to a huge anonymous pool, and retrieve random addresses from this pool as well, loading them (fully) in the background. Say a random page once every 10 seconds (or even better - at random time intervals). It will also visit a minimum of four links from each page it visits.

It will install random plug-ins as well (preferably making them inactive, but without revealing it), just to hide that as a potential signature.

You know, it's easy to get inflamed about this idea since it's all about advertising, tracking, privacy, and corporate profits... but if a similar article appeared about a system designed to counteract spam and fraud, I wonder what the reaction would be here on slashdot?

approach to fighting spam. Your idea will not work. Here is why it won't work. (One or more of the following may apply to your particular idea, and it may have other flaws which used to vary from state to state before a bad federal law was passed.)

( ) Spammers can easily use it to harvest email addresses( ) Mailing lists and other legitimate email uses would be affected( ) No one will be able to find

but if a similar article appeared about a system designed to counteract spam and fraud, I wonder what the reaction would be here on slashdot?

If it was this intrusive, I suspect not so well either.

It's not like we've shown whole-sale support for "enhanced" pat-downs and invasive scans in the name of looking for bad guys. Most of us will be ready to pillory any idiot who says "if you're innocent, what are you worried about" -- because it's bullshit.

Not likely, folks around here also get upset when this sort of thing is done for security reasons because it frequently ends up being used for other things. Sort of like the GPS built into handsets for 911 use which is now all of a sudden available for law enforcement surveillance. And how Onstar can initiate a session where they listen in to whatever you're doing in your car. Sure it doesn't have to happen, but in practice the spineless cowards demanding more safety tend to drown out the individuals who wa

if you love privacy then you jailbreak/root your phone. and disable this crap or install safeguards. My iPhone for example serves up ZERO ad's in any apps and the browser, easy to do once you have access to the hosts file inside.